RPM Signature Package
This package provides rules for verifying the signatures of RPMs identified in the the SLSA Provenance attestation.
Rules Included
Allowed RPM signature key
The SLSA Provenance attestation for the image is inspected to ensure RPMs have been signed by pre-defined set of signing keys. The list of signing keys can be set via the allowed_rpm_signature_keys rule data. Use the special value "unsigned" to allow unsigned RPMs.
Solution: Make sure to use RPMs that have been signed by the expected signing key. An RPM lacking such signature, usually indicated the RPM is not ready for consumption.
-
Rule type: FAILURE
-
FAILURE message:
Signing key %q is not one of the allowed keys: %s -
Code:
rpm_signature.allowed -
Effective from:
2024-10-05T00:00:00Z
Result format
Confirm the format of the RPMS_DATA result is in the expected format.
-
Rule type: FAILURE
-
FAILURE message:
%s -
Code:
rpm_signature.result_format -
Effective from:
2024-10-05T00:00:00Z
Rule data provided
Confirm the expected allowed_rpm_signature_keys rule data key has been provided in the expected format.
-
Rule type: FAILURE
-
FAILURE message:
%s -
Code:
rpm_signature.rule_data_provided -
Effective from:
2024-10-05T00:00:00Z